After running a vulnerability scan this is the only item I cannot fix. Upon installing SQL Server 2008 R2, according to Microsoft there are six 'Prinicpals' or Certificate-Based SQL Server Logins: The following principals are created from certificates when SQL Server is installed, and should not be deleted. ##MS_SQLResourceSigningCertificate## ##MS_SQLReplicationSigningCertificate## ##MS_SQLAuthenticatorCertificate## ##MS_AgentSigningCertificate## ##MS_PolicyEventProcessingLogin## ##MS_PolicySigningCertificate## ##MS_PolicyTsqlExecutionLogin## All of these logins have a password of null. These logins can be seen in the master database sys.syslogins table. These findings pose a problem with our customer and I truly don't know how to fix this. I've spent the last four days trying to figure it out and so far I can't. It may be helpful if I new what checked this and why the result was considered a vulnerability. I understand that I can run a query to result all of the logins which have a null password; but what criteria makes this a vulnerability? I thought that these types of logins were used only internally and posed no security issue. Any help would be greatly appreciated. I am really stumped.